CPSA Import Flashcards
CPSA Import
What is a passive OS fingerprinting technique
Monitoring network traffic using tools such as Wireshark for information re: the OS, also using p0f which is a tool that listens to network traffic and fingerprints OS based on characteristics of the packets
What is an active OS fingerprinting method
Using a port scanner like nmap
nmap flag to get OS details of target
-O for Operating System details
What is banner grabbing
A technique where attackers identify infrastructure details from headers, scans, etc.
How can we get application versions from a network
We can use a nmap scan with flag -sV to enable version detection
How can we get server types from banners
a cURL -I request will show the response headers which often includes a Server header, e.g: Server: Apache/2.4.41 (Ubuntu)
What is the difference between encryption and encoding
Encryption requires a secret key to be decrypted and is not reversible without it, whereas encoding means it uses a predefined scheme to convert data from one form to another with no key such as base64
What is encryption
Encryption involves using an algorithm and a key to transform plaintext into ciphertext. The process is reversible only if the correct decryption key is used
What is encoding
Encoding uses a predefined scheme to convert data from one form to another. The process is reversible without the need for a key\
What are the key factors that change between encoding and encryption
There are differences in reversiblity and levels of security
What are examples of encryption
RSA, AES
What are examples of encoding
Base64, ASCII, URL encoding
What is a hash
A hash is a cryptographic function that takes an input and returns a fixed size string of bytes, the same input will always produce the same output, known as a “digest”
What are the two most known hashes
MD5 and SHA1
Are MD5 and SHA1 considered secure
MD5 and SHA1 are considered insecure and unsuitable for most applications
Bit length of MD5
128-bit hash
What was MD5 designed for
MD5 was designed to be a cryptographic hash function used for integrity checking, digital signatures, etc
Why is MD5 considered insecure
Due to collision vulnerabilities, researchers found that MD5 is susceptible to collision attacks where two DIFFERENT inputs result in the same hash output
What is a collision vulnerability
Where two different inputs result in the same hash output
What is the real world risk of collision vulnerabilities in hashing
Being exploited in attacks such as creating malicious certificates that appear legitimate as they have the same MD5 hash as a trusted certificate
What is SHA1 bit size
160-bit hash
What was SHA1 designed for
Used to be widely used in cryptographic applications, including SSL/TLS certificates, file integrity validation
Why is SHA1 considered insecure
SHA1 is considered insecure as researchers demonstrated that two outputs can produce the same hash output
Is SHA1 considered secure
SHA1 is considered
Is SHA1 exploitable/breakable
SHA1 is breakable as the cost and time required to generate SHA1 collisions have been decreaasing, making it feasible for well-funded attackers to break SHA1
NIST advice for SHA1
NIST advices against using SHA1 in favour of stronger algorithms like SHA256 or SHA3
What is HMAC
Type of Message Authentication Code that uses a cryptographic hash function along with a secret key to provide data integrity and authenticity, the secret key is only known by the sender and the recipient
What does MAC in HMAC stand for
Message Authentication Code
What does a HMAC do
It verifies that the payload has not been tampered with, like a JWT signature being verified
What is the OSI Model
The OSI Model is a reference model that enables the communication of different technical systems via various devices and technologies and provides compatibility
What are the layers of the OSI Model (in order)
Physical, Data Link, Network, Transport, Session, Presentation, Application
What are the layers of the TCP/IP Model
Link, Internet, Transport, Application
What is Layer 3 of the OSI Model and what does it do
L3 layer is the Network layer and it is where data packets are transferred from node to node until they reach their destination
In the postal/mail example of Network, what is the IPv4/IPv6
It is the unique postal address and suburb of the receiver’s building
In the postal/mail example of Network, what is the MAC Address
It is the exact floor and apartment of the receiver
How many bit groups are in an IPv4
8 bit groups
How many binary numbers in a IPv4 Address
32
What is the number convention of each bit in the IPv4 Address (descending order)
128, 64, 32, 16, 8, 4, 2, 1
What is the Subnet Mask
Describes which bit positions within the address are the network part and the host part
Can the bits of the subnet mask reflected in an IPv4 Address ever change (255.255.0.0) can 192.168 part of 192.168.24.2 ever change, and give explanation
No, if the subnet mask is 255. that entire section of the IPv4 Address cannot change, if it is something like 192, we have to write out the 8 bit binary notation of that subnet mask (from either the CIDR or the subnet mask) and the bits with 1 can not change
Wht is CIDR
Classless Inter-Domain Routing is a method of representing the subnet mask in a suffix form
Give an example of a CIDR suffix and which parts of the IPv4 can and cannot change due to the subnet mask/CIDR suffix
/26 would be 26 (1) in the subnet mask, which is = 255.255.255.192 would be 1111 1111 . 1111 1111 . 1111 1111 . 1100 0000 so the last 6 digits can be changed, we can find the first and last IP’s of that IP subnet with this information
What is IPv6 and how many bits in length
IPv6 is the successor of IPv4 and is 128 bits in length
How many blocks is a IPv6 address
8 blocks of 16 bits each (4 hex numbers)
How can a IPv6 Address be shortened
If the entire block is 0000 we can get rid of that and replace with double colomn (::)
TCP Telnet
23
TCP SSH
22
TCP SNMP
161
TCP HTTP
80
TCP HTTPS
443
TCP DNS
53
TCP FTP
20-21
TCP TFTP
69
TCP NTP
123
TCP SMTP
25
TCP SMB
445
TCP RDP
3,389
TCP LDAP
389
TCP ICMP
0-255
23
Telnet
22
SSH
161
SNMP
80
HTTP
443
HTTPS
53 TCP
DNS
69
TFTP
123
NTP
25
SMTP
MySQL
3306
3306
MySQL
DHCP
67
67
DHCP
What is UDP
UDP is a connectionless protocol which means it does not establish a virtual connection before transmitting data, instead it sends data packets and does not check to see if they were received
What is an example of UDP
Video streaming, online gaming
What does UDP stand for
User Datagram Protocol
What is TCP
TCP is a connection-based protocol that establishes a virtual connection between two devices before transmitting data via a Three-Way handshake, as a result TCP is slower than UDP
What is the negative of TCP
It is slower than UDP due to the Three-Way Handshake
What does TCP stand for
Transmission Control Protocol
What is ICMP
ICMP is used by devices to communicate with each other on the Internet such as ping request, which tests connectivity between devices
What does ICMP stand for
Internet Control Message Protocol
What is symmetric encryption
A method that uses the same key to encrypt and decrypt the data, meaning the sender and receiver must have the same key to decrypt the data
What are examples of symmetric encryiption
AES and DES
What does AES stand for
Advanced Encryption Standard
What does DES stand for
Data Encryption Standard
What is considered to be the most secure encryption algorithm nowadays
AES
What is asymmetric encryption
Is a method of encryption that uses two different keys, a public key and a private key. The public key is used to encrypt data and anyone can access it but only the recipient has the private key who can decrypt the data
What are examples of asymmetric encryption
RSA, PGP, ECC
What does RSA stand for
Rivest-Shamir-Adleman
What does PGP stand for
Pretty Good Privacy
What does ECC stand for
Elliptic Curve Cryptography
What is 3DES
3DES is an extension of DES which encrypts data more securely, the procedure for this usually consists of three keys
Which is faster AES or DES and why
AES is faster than DES due to its more efficient algorithm structure, as it can be applied to multiple data blocks at once making it faster
What does IKE stand for
Internet Key Exchange
What is Diffie-Hellman
Diffie-Hellman is a key exchange method which allows two parties to agree on a shared secret keey without any prior communication or shared private information
What is Diffie-Hellman vulnerable to
MiTM attacks where the attacker intercepts the communication and pretends to be one of the parties
What are Key Exchange Methods
Diffie-Hellman, RSA, ECDH, ECDSA
What is RSA
RSA uses the properties of large prime numbers to generate a shared secret key, relies on the fact it is easy to multiply large prime numbers but challenging to factor the result back into its prime factor
What does ECDH stand for
Elliptical Curve Diffie-Hellman
What does ECDSA stand for
Elliptic Curve Digital Signature Algorithm
What are examples of commonly used authentication protocols
TLS, SSL, OAuth, HTTPS, 2FA
What does WEP stand for
Wired Equivalent Privacy
What does WPA stand for
WiFi Protection Access
What are security features on a WiFi connection
Encryption, Access Control and Firewalls
What does WPA do
WPA provides the highest level of security by using a secure authentication method such as a pre-shared key
What is LEAP and PEAP
They are authentication protocols used to secure wireless networks to provide a secure method for authenticating devices and are used in conjunction with WEP/WPA
What does LEAP stand for
Lightweight Extensible Authentication Protocol
What does PEAP stand for
Protected Extensible Authentication Protocol
Which is more secure, LEAP or PEAP and why
PEAP is more secure as it uses a secure authentication method called TLS, whereas LEAP uses a shared key for authentication, which makes it easy to gain access if the key is compromised
What is a Disassociation Attack
It is a wireless network attack that disrupts communication between a WAP and clients by sending disassociation frames causing the client to disconnect from the network
What is IPSec
IPSec is a network security protocol providing encryption and authentication for internet communications, encrypts the dta payload of each IP packet and adding an authentication header (AH) which is used to verify the authenticity of the packet
What two security protocols does IPSec use
Authentication Header and Encapsulating Security Protocol (ESP)
What is ESP
Provides encryption and optiinal authentication for IP packets, it encrypts the data payload of each packet
Internet Key Exchange (IKE) Port
UDP 500
UDP 500
Internet Key Exchange (IKE)
What is SSL
SSL is a cryptographic protocol designed to provide secure communication over a computer network, it was the predecessor of TLS
Which is more secure SSL 3.0 or TLS 1.0
TLS 1.0
What is the standard protocol for securing communications
TLS
What is PGP
PGP is an encryption program that provides cryptographic privacy and authentication for data communication
What is PGP often used for
PGP is often used to secure emails and files encrypting them, ensuring only the intended recipient can read the contents
What is TKIP
TKIP is a security protocol used in wireless networks and was designed as a temporary solution to improve security on existing hardware that initially only supported weaker WEP encryption
What does TKIP stand for
Temporal Key Integrity Protocol
Where does TKIP rank amongst WEP and WPA
TKIP was an improvement over WEP but still not as secure as the later WPA2 which uses AES encryption
What encryption does WPA2 use
AES
Why was WEP depracated
WEP was depracated due to weak encryption, WEP’s use of RC4 cipher and poor implementation of key management makes it susceptible to a variety of attacks
What information can we find in a WHOIS query
Domain name, registrar, registrant contact, administrative contact, technical contact, creation/expiration dates, name servers, etc.
What is a whois query
It is like a phonebook for the internet
What tool can be make to query DNS information
dig
What does dig stand for
Domain Information Groper
What is DNS
DNS is like the internet’s GPS system, guiding your journey resolving domain names to precise IP addresses
What is a DNS zone
A zone is a distinct part of the domain namespace that a specific entity manages, e.g: example.com and all its subdomains would belong to the same DNS zone
What is a DNS Zone Transfer
A DNS Zone Transfer is a blueprint of all DNS records within a zone which is used to recreate in the same formatting from one name server to another
What is a DNS Zone Transfer vulnerability
If not properly secured, the Zone Transfer file can be downloaded, revealing a complete list of subdomains, their associated IP addresses and other sensitive DNS data
How to check for a DNS Zone Transfer vulnerability
dig axfr @
How to find the DNS server
dig ns
What is an A Record
It is a mapping to an IPv4 Address
What is an AAAA Record
It is a mapping to an IPv6 Address
What is a CNAME
Canonical Name, it creates an alias for a hostname, pointing it to another hostname
What is an MX Record
Mail Exchange Record, specifies the mail server(s) responsible for handling emails for the domain
What is an NS Record
Name Server Record, delegates a DNS Zone to a specific authoritative name server
What is a TXT Record
Text Record, stores arbitrary text information, often used for security policies and domain ownership verification
What is a PTR Record
Pointer Record, Used for reverse DNS lookups, mapping and IP address to a hostname
What is a SOA Record
Start of Authority Record, specifies administrative information about a DNS zone, including primary name server, responsible person’s email and other parameters
What are Search Operators for Google Dorking
site: , inurl:, filetype:
How can we find a specific extension with Google Dorks
Site:example.com ext.conf
What is Telnet?
Telnet is a protocol used for accessing remote devices over TCP/IP networks, allowing a user to login to another computer remotely, providing a CLI to manage and control the remote device
What port is Telnet on?
Port 23
What is Port 23
Telnet
Name two vulnerablities in Telnet
Lack of encryption and weak authentication
What is the lack of encryption in Telnet
Telnet transmits all data including usernames and passwords in plaintext
What is the weak authentication in Telnet
Telnet often lacks from strong authentication mechanisms, making it easier for attackers to gain unauthorised access
What is a common Web based protocol
HTTP/HTTPS
What is HTTP/HTTPS used for
HTTP/HTTPS is a method used for transport of information between a client (such as a browser) and a web server
What port does HTTP listen on
Port 80
What port does HTTPS listen on
Port 443
What is port 80
HTTP
What is port 443
HTTPS
What are two vulnerablities on HTTP/HTTPS
HTTP lacks encryption and HTTPS is still vulnerable if using older SSL/TLS protocols
What is the HTTP vulnerability
All data is sent over plaintext as HTTP does not use encryption
What is the HTTP S vulnerablity
If the web server is configured to use old SSL/TLS protocols such as TLS 1.0, 1.1, 1.2 they could be vulnerable to decryption of data due to various known vulnerabilities
What is Secure Shell (SSH)
SSH is a cryptographic network protocol used for secure remote login, replacing older protocols like Telnet
What port does SSH listen on
Port 22
What is Port 22
SSH
What are two vulnerabilities with SSH
Brute force attacks and credential theft
What is the brute force attack vulnerability in SSH
Attackers can try many username/password combinations
What is the credential theft vulnerability in SSH
If SSH keys or passwords are compromised, an attacker can gain unauthorised access to a system
What is SNMP
SNMP (Simple Network Management Protocol) is used for managing devices on IP networks, such as routers, switches and servers. It enables monitoring and control of these devices
What does SNMP stand for
Simple Network Management Protocol
What port does SNMP listen on
UDP Port 161
What are two vulnerabilities with SNMP
Lack of encryption and unauthorised access
What is the lack of encryption in SNMP
SNMP v1 and v2c do not provide encryption, making the traffic vulnerable to interception
What is the unauthorised access vulnerablitiy in SNMP
If SNMP community strings (password) are known or guessed, an attacker can retrieve/alter configuration data. SNMP also utilises default community strings which if not changed are “public” and “private”
What is TFTP
TFTP is primarily used to transfer files to and from network devices
What does TFTP stand for
Trivial File Transfer Protocol
What port does TFTP listen on
UDP Port 69
What are two vulnerabilities with TFTP
No authentication and no encryption on transfers
What is the no authentication vulnerability on TFTP
TFTP does not provide any form of authentication making it vulenrable to unauthorised file access and transfers
What is the no encryption on transfers vulnerability in TFTP
TFTP transfers files in plaintext, allowing attackers to intercept or tamper with the data
What is Cisco Reverse Telnet
Cisco Reverse Telnet allows a network device to initiate a Telnet session to another device often used for managing out of-band network devices via serial connection
What port does Cisco Reverse Telnet listen on
Port 2000 anf above (Port = 2000 + line number)
What are two vulnerabilities in Cisco Reverse Telnet
Lack of encryption and credential exposure
What is the lack of encryption vulnerability in Cisco Reverse Telnet
Like regular Telnet, Reverse Telnet lacks encryption making it vulnerable to eavesdropping and interception
What is the credential exposure vulnerability in Cisco Reverse Telnet
Since authentication is done over plaintext, credentils can easily be intercepted and reused by attackers
What is NTP
NTP is used to synchronise the clocks of networked devices to ensure all devices have the same correct time
What port does NTP listen on
UDP Port 123
What doe NTP stand for
Network Time Protocol
What are two vulnerabilities in NTP
Time manipulation and NTP amplification attacks
What is the time manipulation vulnerability in NTP
If an attacker can alter the time provided by the NTP server, this can have significant consequences such as disrupting scheduled tasks or invalidating certificates
What is the NTP amplification attack
Where small queries result in large responses, which can be directed towards a target to create DDoS attack
TACACS+ Port
TCP Port 49
TCP Port 49
TACACS+
What does ARP stand for
Address Resolution Protocol
What does ARP do
ARP is used to map IP Addresses to MAC addresses on a local network. When a device wants to communicate with another device on the same network it uses ARP to find the MAC Address for the corresponding target device’s IP Address
What vulnerabilities is ARP subject to
ARP Spoofing/Poisoning and MiTM attacks
What is ARP Spoofing/Poisoning
An attacker can send forged ARP messages onto the network, associating their own MAC Address with the IP of another device, allowing the attacker to intercept traffic
What does DHCP stand for
Dynamic Host Configuration Protocol
What port does DHCP listen on
UDP Port 67 and 68
What does DHCP do
DHCP automatically assigns IP addresses and other network configurations to devices on the network
What are vulnerabilities DHCP is subject to
Rogue DHCP servers and DHCP starvation attacks
What is a DHCP starvation attack
When an attacker can exhaust the pool of IP addresses available by rapidly requesting IP addresses, effectively denying new devices from obtaining a valid IP address
What is a rogue DHCP server
When an attacker can setup a rogue DHCP server on the network which can assign incorrect IP configurations to devices, leading them to use the attacker’s server as the default gateway
What is CDP
CDP is a proprietary protocol used by Cisco devices to share information about otehr directly connected Cisco devices
What does CDP stand for
Cisco Discovery Protocol
What vulnerabilities is CDP subject to
Information disclosure and CDP spoofing
What is CDP Spoofing
Attackers can send fake CDP messages to trick devices into believing they are connected to different devices, potentially disrupting network operations
What is information disclosure CDP is subject to
Since CDP broadcasts detail information about the device, an attacker on the same network segment can capture this data and gain insights into the network’s structure and configuration
What does HSRP stand for
Hot Standby Router Protocol
What does HSRP do
HSRP is a Cisco protocol to provide high availability by allowing two or more routers to work together to present the appearnce of a single virtual router to the hosts of the network
What port does HSRP listen on
UDP Port 1985
UDP Port 1985
HSRP
UDP Port 67 and 68
DHCP
What are vulnerabilities HSRP is subject to
Lack of authentication and HSRP Spoofing
What is the lack of authentication vulnerability HSRP is subject to
Older implementations of HSRP do not include strong authentication mechanisms making it easier for attackers to inject rogue HSRP messages
What is HSRP Spoofing
HSRP Spoofing is when an attacker can send crafted HSRP messages to take over the active router role, leading to traffic being directed through a malicious router
What is VRRP
VTP is siilar to HSRP but is a standards-based protocol that provides high availability to routers by creating a virtual router as a backup for a group of physical routers
What does VRRP stand for
Virtual Router Redundancy Protocol
What are vulnerabilities VRPP is subject to
Weak authentication and VRRP spoofing
What is VRRP spoofing
VRRP spoofing is when an attacker can send spoofed VRRP messages to become the master router thereby interceepting or disrupting network traffic
What is weak authentication in VRRP
Without strong authentication, VRRP messages can be easily spoofed allowing an attacker to manipulate the redundancy protocol
What does VTP stand for
VLAN Trunking Protocol
What is VTP
VTP is a Cisco proprietary protocol that propagates VLAN information within a switched network, simplifying VLAN management by allowing VLAN configurations to be made on one switch and automatically propagated to other switched in the network
What are VTP vulnerabilities
VLAN trunking issues and VTP Manipulation
What are VLAN trunking issues
Misconfigurations or malicious reconfigurations of VTP can cause devices to be placed on unintended VLANs potentially exposing sensitive data
What is VTP Manipulation
When an attacker can configure a rogue switch with a higher VTP revision number causing other switches to adopt the attackers VLAN configuration
What does STP stand for
Spanning Tree Protocol
What does STP do
STP ensures a loop-free topology by Ethernet networks by managing redundant links, it prevents network loops by placing certain ports in a blocking state
What are vulnerabilities STP is subject to
STP Manipulation and Denial of Service
What is DoS that STP is subject to
By floodign the network with BPDUs an attacker can cause network instability, resulting in performance degradation ofr denial of service
What is STP Manipulation
An attacker can send fake Bridge Protocol Data Units (BPDUs) to manipulate the STP topology, potentially becoming the root bridge, causing traffic to flow through the attacker’s device
What is TACACS+
TACACS+ is a protocol used to authenticate and authorise users accessing network devices such as routers and switches
What does TACACS+ stand for
Terminal Access Controller Access-Control System Plus
Name two ways to enumerate devices running IPSec services
An nmap scan, first a UDP scan with flags -sU and -p and then a Protocol scan with flags -sO and –protocol, or through banner grabbing although typically IPSec services don’t return verbose banners, attempting to connect to the service might reveal some information
How can we fingerprint IPSec Services
Tools like ike-scan can fingerprint through crafted IKE requests to identify the vendor and version of the IPSec implementation
What is VoIP
VoIP is a technology that allows voice communication and multimedia sessions over IP networks such as the internet
What does VoIP stand for
Voice over Internet Protocol
What are two common VoIP protocols
SIP and RTP
What does SIP stand for
Session Initiated Protocol
What does RTP stand for
Real-Time Transport Protocol
What does RTP do
Handles the data transmission and transport of VoIP calls
What does SIP do
Used to initiate, maintain and terminate voice and video calls
How can we enumerate a VoIP Service
Using an nmap scan on common VoIP ports
SIP Port
Port 5060
Port 5060
SIP Port
How can we fingerprint VoIP Services
By analysing SIP headers such as User-Agent, we can often determine the software version and vendor of the SIP server, additionally tools like sipfinger can automate this process by sending SIP requests and analysing the responses
What is the SIP Protocol
SIP is one of the most widely used protocols for managing multimedia communication sessions, including voice and video calls
What is SIP communication similar to and how
SIP communications are similar to HTTP as they both rely on request/response transactions
What are common SIP request methods
INVITE, ACK, BYE, REGISTER and CANCEL
What is SIP - INVITE
Initiates a call
What is SIP - ACK
Confirms that the client has received a final response to an INVITE request
What is SIP - BYE
Terminates a call
What is SIP - REGISTER
Registers the user’s location (i.e their IP address) with a SIP server
What is SIP - CANCEL
Cancels a pending request
What are SIP security issues
Eavesdropping and Registration Hijacking
What is eavesdropping in SIP
Without encryption, SIP signalling can be intercepted by an attacker allowing attackers to listen in on calls
What is registration hijacking in SIP
An attacker can impersonate a legitimate user by hijacking their SIP registration, enabling them to receive calls intended for the user
How can we enumerate devices running Wireless services
airodump-ng can capture requests made by devices actively searching for networks, additionally Wireshark and Kismet can be used to scan for available wireless networks, list SSID’s and identify Access Points
How can we fingerprint Wireless services
Through 802.11 frame analysis tools like Wireshark and tshark, which can be used for capturing and analysing wireless frames
What is an SSID
An SSID is a unqiue name that identifies a specific wireless network, it is broadcast by the Access Point to help devices discover and connect to the network
What is the maximum length of an SSID
32 characters in length
What does SSID stand for
Service Set Identifier
What is Active Directory
Active Directory is a centralised management service for resources including users, computers, groups, network devices, file shares, group policies, etc.
What is AD “essentially”
AD is essentially a read-only database accessible to all users within the domain, regardless of their privilege
Wht is a Forest
A Forest is the top-level container which holds one or more domains, it represents the entire AD environment, where all domains share a common schema and global catalog
What is at the top of the AD hierarchy
Forest
What is a domain in AD
A domain is a structure within which container objects (users, groups, computers) are accessible
What is an Object in AD
An object can be defined as ANY resource present within an Active Directory such as users, computers, OU’s, etc.
What are attributes in AD
Every object has an associated set of attributes used to define characteristics of the given object.
Give example attributes of a user object
firstName, fullName, email, username, password
What can we think of domains in AD as
We can think of domains in AD like different states or countries
What can we think of Forest like in AD
A Forest is like the US, and the domains are all the states inside of the US
What is MSBROWSE
MSBROWSE is a Microsoft protocol that was used to maintain a list of resources such as shared printers and files that were available on the network
What superceded MSBROWSE
SMB
How to find the Master Browser
nbtstat -A
What is a Global Catalog
A Global Catalogue is a domain controller that stores copies of ALL objects in an AD Forest. The GC allows both users and applications to find information about any object in ANY domain in the forest
What are the five roles of the FSMO
Schema Master, Domain Naming Master, Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master
What does FSMO stand for
Flexible Single Master Operations
What are the two groups of FSMO roles and what separates them
Forest-wide and Domain-wide, Forest-wide roles are for the entire forest but domain-wide is for each domain
What are the Forest-wide FSMO roles
Schema Master and Domain Naming Master
What are the domain-wide FSMO roles
Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master
How do the FSMO roles work in terms of delegation
All 5 FSMO roles are assigned to the first DC in the forest root domain, each time a new domain is added to a forest, the first DC in that domain also gets the RID Master, PDC Emulator and Infrastructure Master roles assigned
What are leaf objects in AD
When they do not or can not contain other objects
Why is DNS important for AD
AD DS uses DNS to alow clients (workstations, servers) to locate the Domain Controller and for Domain Controllers that host the directory service to communicate amongst each other
What does AD DS stand for
Active Directory Domain Services
How do DNS resolutions work in AD
The AD uses DNS to find the IP address of the DC through an SRV record,
What does LDAP stand for
Lightweight Directory Access Protocol
What is LDAP
LDAP is a protocol used for authentication against various directory services such as AD
What specified LDAP
RFC 4511
What is LDAP essentially
LDAP is the language that applications use to communicate with other servers that provide directory services, similar to a user interacting with an SQL DB through SQL queries
What cryptographic technique is used for NTLM, NTLMv1 and NTLMv2
Symmetric key cryptography
What cryptographic technique is used for Kerberos
Symmetric key cryptography & asymmetric cryptography
What message type (encryption) is used for NTLMv1 and NTLMv2
MD4 hash, random number
What message type (encryption) is used for Kerberos
Encrypted ticket using DES, MD5
What does LANMAN stand for
LAN Manager
What does LANMAN do
LANMAN is the oldest hash storage mechanism used by the Windows OS
Where are LANMAN hashes stored
In the SAM database and in the NTDS.DIT database on the Domain Controller
What is the AD Database file
NTDS.dit
Why was LANMAN vulnerable and not in use anymore
Passwords were limited to 14 characters and converted to upper case before hashing, then also split into two 7 character blocks making it easier to crack
What is NTMLv1
NTLMv1 performs a challenge/response between a server and a client using the NTLM hash which is used for network authentication
What are the merits of NTLMv1
Improved security by using MD4 hashing and avoids splitting password into 7 char chunks, also is not vulnerable to PtH attacks
Why was NTLMv2 created and why is it better than NTLMv1
Is a protocol that was created as a stronger alternative to v1, it is hardened against spoofing attacks that v1 is susceptible to
What is the process of NTLMv2
NTLMv2 sends to responses to the 8-byte challenge, first containing a 16-byte HMAC-MD5 hash of the challenge, randomly generated challenge from the client and a HMAC-MD5 of the user credentials, followed by a second response using a client challenge including the current time 8-byte random value and domain name
Merits of NTLMv2
Much stronger security using HMAC-MD5 and make it more resistant to brute-force attacks and is also compatible with legacy systems
How many hashes does Cached Credentials store
Last 10
What is AD Group Policy
An AD feasture that provides admins with advanced settings they can apply to both user and computer accounts in a Windows environment
What are some things that can be configured using Group Policy
Policies such as screen lock timeouts, disabling USB ports, encforcing custom domain password policies, installed software, managing applications, etc.
What is a GPO
It is a virtual collection of Group Policy settings that can be applied o user(s) or computer(s)
What does GPO stand for
Group Policy Object
What is Local Security Policy
It is a set of security-related Group Policy settings that are applied to a single computer (not whole OU’s)
What file manages the Local Security Policy
gpedit.msc
What is the GPO order of precedence
In order; Local Security Policy, Site Policy, Domain Policy, Parent OU policy, Child OU policy
What is the name of the default Group Policy
Default Domain Policy
When is the Default Domain Policy used
It is used when there is no other Group Policies applied to an object,
What is a Rainbow Table Attack
It is a pre-computed table of hashes and their corresponding plaintext password which is a much faster method than brute-force attack
What is the Rainbow Table Attack’s limitations
Method is limited by the rainbow table size, bigger the table the more passwords and hashes it can store
What is the Definition and Enforcement of a Password Policy
Definition: A guideline on what the password policy requires - Enforcement: The technology used to make sure users comply with the password policy
What is a Password Policy
A set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them based on the company’s definition
What are common password policy standards
CIS Password Policy Guide, PCI DSS
What is a sample password policy
Min. 8 characters, must include uppercase and lowercase letters, must include symbols and numbers, it should not be the username
How can we attack SAM
We can dump files with hashes and proceed to crack them
What are the three files that store hashes
hklm\sam, hklm\system, hklm\security
What does hkln\sam contain
Contains the hashes associated with local account passwords, we will need the hashes to crack them and get the user password in plaintext
What does hklm\system store
Contains the system bootkey, which is used to encrypt the SAM database
What does hklm\security store
Contains cached credentials (last 10) for domain accounts
How can we hunt for plaintext credentials
If we have a GUI, we can use built-in search functions like Windows Search to search terms related to passwords
What are keywords we can use to search for plaintext passwords
Passwords, Usernames, Pwd, Passkey, Credentials
What is HTML Source Review
Sift through HTML source code to look for interesting data
What can we gather from web mark-up
Hidden form fields, database connection strings, credentials developers may have left, developer comments, etc.
How to download a HTML site
wget -r -m -nv
What is MySQL
MySQL is an open-source relational database management system developed and supported by Oracle
What is the MySQL file ext
MySQL databases are often stored in a single file with the extension .sql (e.g: wordpress.sql)
What is MariaDB
MariaDB is a fork of the original MySQL aas the chief developer of MySQL left and created MariaDB
What Port does MySQL run on
TCP Port 3306
TCP Port 3306
MySQL
How to see MySQL version
select version();
What is MSSQL
MSSQL is a Window’s SQL-based RDMS that was written to run on Windows OS due to its strong native support for Microsoft’s .NET framework, therefore it is most often found on Window’s hosts
What is the authentication mechanism for MSSQL if authentication is set to Windows Authentication
It will be processed through the local SAM database or the hosting Active Directory
What is the issue with Active Directory for MSSQL auth
If the account is compromised, it could lead to privilege escalation and lateral movement across a Windows domain environment
What is SSMS
SSMS comes as a feature that can be installed with MSSQL or separately, it allows for initial configuration of a database but also long-term management by admins
What does SSMS stand for
SQL Server Management Studio
How to fiend the SSMS MSSQL client
locate mssqlclient
MSSQL Port
Port 1433
Port 1433
MSSQL
What does nmap have for MSSQL
Nmap has a default MSSQL scan
What are MSSQL Attack Vectors
Dangerous settings, default nmap MSSQL scans, Metasploit scans, can connect via mssqlclient.py
What are dangerous settings in MSSQL
MSSQL clients not using encryption to connect as it is not forced, use of self-signed certificates which can be spoofed, weak and default sa credentials which admins may have forgotten to disable
What is Oracle TNS
Oracle TNS is a communication protocol that facilitates communication between Oracle databases and applications over networks
What does Oracle TNS stand for
Oracle Transparent Network Substrate
Why is Oracle TNS considered safe and secure
Oracle TNS is considered safe and secure as it has built-in encryption mechanisms ensuring the security of data transmitted
What port does Oracle TNS listen on
TCP Port 1521
TCP Port 1521
Oracle TNS
Which versions can Oracle TNS be remotely managed
Oracle 8i/9i but not Oracle 10g/11g
What is the combination used for basic authentication of TNS Listener
Hostname, IP Address, Username, Password
What are the two configuration file names of Oracle TNS
tnsnames.ora and listener.ora
What is the default Oracle 9 password
CHANGE_ON_INSTALL
What is the default Oracle 10 password
There is no default password for Oracle 10
What is the default Oracle DBSNMP password
dbsnmp
What is MSSQL port in hidden mode
2433
Port 2433
MSSQL in hidden mode
